Companies are adopting virtualization technologies at a faster and faster rate. They are virtualizing servers, desktops, storage, networks. But one aspect of infrastructure has been lagging -- very few companies address the growing demand for virtualized security.
Virtualized security is security technology that uses virtualization principles to create a flexible, logical security layer inside a virtualized data center. Because of the unique dynamic nature of a virtualized environment, traditional static security measures are often insufficient. Not only is it hard to manage static security devices next to a pool of dynamic virtual servers, but the security often gets in the way of the benefits of virtualization.
Encapsulation and portability of virtual machines free your virtual servers, allowing them to move from server to server. But if the security context can't follow the servers, you're forced to keep them stuck in place. Fortunately the virtualized security market is getting a lot more attention this year.
Up to this point, most virtual security offerings have been either virtual-appliance based or have deployed an agent inside a virtual machine. That gives them flexibility but also only limited access to virtual machine "internals." A new solution from VMware may change the table-stakes and inject momentum into the nascent virtual security industry. The recently announced VMSafe program will be a framework and API for virtual security services to interact with virtual machines and the hypervisor.
The API lets a virtual security tool inspect and filter all of a virtual machine's memory, CPU, processes, storage and network traffic. That gives virtual security solutions the ability to act on a virtual machine while maintaining complete isolation from any nasty stuff running inside. Unlike agent-based solutions that run on the operating system and can be disabled or compromised by malware, virtual security solutions would lie beyond the reach of the operating system.
Virtual security technologies have two effects. In the short term, they allow companies to overcome the difficulties of securing a virtual environment. Security engineers can use virtual security to build solutions that support virtual servers without compromising on important virtualization features such as resource-pooling and live migration (VMotion, XenMotion etc.) of virtual machines. In the longer term, virtual security can use the principles of virtualization to take security to a whole new level.
It's not just about working well with virtual machines, but introducing whole new concepts to security. Like the idea of moving a security context, in near-real-time, from one security device to another (FWMotion? IPSMotion?) or orchestrating the provisioning of a dynamic security policy, alongside the other resources that are created for a virtual machine (server, storage, networks etc). So ask not what security can do for virtualization, but ask instead what virtualization can do for security!